LuckyMouse using legitimate security certificate to evade traps

The malicious cyber group LuckyMouse has scurried out of its hole spreading a previously unknown trojan that is particularly dangerous as it uses a legitimate digital certificate developed by a cybersecurity company.

Kaspersky Lab’s Global Research and Analysis Team (GReAT) reported that in addition to the certificate it also uses a proprietary driver that allows the attackers to handle command execution, uploading/downloading files and intercepting traffic.

“The driver became the most interesting part of this campaign. To make it appear trustworthy, the group seemingly stole a digital certificate that belonged to an information security-related software developer, and used this to sign malware samples. This was done in an attempt to avoid being detected by security solutions, since a legitimate signature makes the malware look like legal software,” GReAT reported.

LuckyMouse has focused its efforts on political entities in South Eastern and Central Asia and the activity with nation-state backed cyberespionage. GReAT noted that LuckyMouse’s activity level increases just before major events, such as world leaders gathering for a summit and the research group stated LuckyMouse is a Chinese language speaking threat actor.

Although GReAT did not say LuckyMouse activity was in preparation for these events the United Nation’s General Assembly takes place in New York City from Sept. 18-25 and the G20 Summit will be held from Nov. 30 – Dec. 1 in Buenos Aires.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.